[exim] Re: List headers [Was: DKIM does not work]

Pàgina inicial
Delete this message
Reply to this message
Autor: Markus Reschke
Data:  
A: Andreas Metzler via Exim-users
Assumpte: [exim] Re: List headers [Was: DKIM does not work]
Hi!

I'm also looking into optimizing my DKIM configuration, especially which
headers to sign. Unfortunately, DMARC reports tell you only that the DKIM
verification failed but not why. The default for dkim_sign_headers doesn't
work well for me.

On Mon, 23 Oct 2023, Andreas Metzler via Exim-users wrote:

> I think it depends on which the header would be added. Some additions
> should be allowed. Exim's default setting for dkim_sign_headers is
> extremely conservative and imho does not make sense. I had tried to
> discuss this in https://bugs.exim.org/show_bug.cgi?id=2394.
>
> I personally am using +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-Post
> I am sure this set is not perfect and I have missed something, though.


There some changes between the RFCs:

RFC4871, Section 5.5., Recommended Signature Content

    The following header fields SHOULD be included in the signature, if
    they are present in the message being signed:


    o  From (REQUIRED in all signatures)
    o  Sender, Reply-To
    o  Subject
    o  Date, Message-ID
    o  To, Cc
    o  MIME-Version
    o  Content-Type, Content-Transfer-Encoding, Content-ID, Content-
       Description
    o  Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc,
       Resent-Message-ID
    o  In-Reply-To, References
    o  List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
       List-Owner, List-Archive



RFC6376, Section 5.4.1, Recommended Signature Content

    o  From (REQUIRED; see Section 5.4)
    o  Reply-To
    o  Subject
    o  Date
    o  To, Cc
    o  Resent-Date, Resent-From, Resent-To, Resent-Cc
    o  In-Reply-To, References
    o  List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
       List-Owner, List-Archive


Wouldn't it make sense to update the default for dkim_sign_headers
accordingly? Anyway, I'll try RFC6376's recommended headers and hope it
will decrease my DKIM verification issues.

ciao
  Markus
-- 
/ Markus Reschke              \
\ madires@??? /



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/